Configure a VM Managed Service Identity (MSI) using the Azure portal

Managed Service Identity (MSI) is a public preview feature of Azure Active Directory. Make sure you review the known issues before you begin. For more information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.

Managed Service Identity provides Azure services with an automatically managed identity in Azure Active Directory. You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code.

In this article, you will learn how to enable and disable the system assigned identity for an Azure VM, using the Azure portal. Assigning and removing user assigned identities from Azure VMs is not currently supported via the Azure Portal.

Note

Currently, user assigned identity operations are not supported via the Azure Portal. Check back for updates.

Prerequisites

Managed Service Identity during creation of an Azure VM

Currently, VM creation via the Azure portal does not support Managed Service Identity operations. Instead, please refer to one of the following VM creation Quickstart articles to first create a VM:

Then proceed to the next section for details on enabling Managed Service Identity on the VM.

Enable Managed Service Identity on an existing Azure VM

To enable the system assigned identity on a VM that was originally provisioned without it:

  1. Sign in to the Azure portal using an account associated with the Azure subscription that contains the VM. Also make sure your account belongs to a role that gives you write permissions on the VM, such as “Virtual Machine Contributor”.

  2. Navigate to the desired Virtual Machine and select the "Configuration" page.

  3. Enable the system assigned identity on the VM by selecting "Yes" under "Managed service identity" and then click Save. This operation can take 60 seconds or more to complete:

    Note

    Adding a user assigned identity to a VM is not currently supported via the Azure Portal.

    Configuration page screenshot

Remove Managed Service Identity from an Azure VM

If you have a Virtual Machine that no longer needs the system assigned identity:

  1. Sign in to the Azure portal using an account associated with the Azure subscription that contains the VM. Also make sure your account belongs to a role that gives you write permissions on the VM, such as “Virtual Machine Contributor”.

  2. Navigate to the desired Virtual Machine and select the "Configuration" page.

  3. Disable the system assigned identity on the VM by selecting "No" under "Managed service identity", then click Save. This operation can take 60 seconds or more to complete:

    Note

    Adding a user assigned identity to a VM is not currently supported via the Azure Portal.

    Configuration page screenshot

  • For an overview of Managed Service Identity, see overview.

Next steps